Printed on: 08/02/2015. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

Computers, networks and electronic information systems are essential resources for accomplishing the University's mission of instruction, research, and service outreach. The University grants members of the University community shared access to these resources in support of accomplishing the University's mission.

These resources are a valuable community asset to be used and managed responsibly to ensure their integrity, security, and availability for appropriate educational and business activities. All authorized users of these resources are required to use them in an effective, efficient, and responsible manner.

Information/data and systems may only be used by authorized individuals to accomplish tasks related to their jobs. Use of the information and systems for personal gain, personal business, or to commit fraud is prohibited.

Information not classified as Public must be protected, and must not be disclosed without authorization. Unauthorized access, manipulation, disclosure, or secondary release of such information constitutes a security breach, and may be grounds for disciplinary action up to and including termination of employment.

Authorized User

Individual or entity permitted to make use of University computer or network resources. Authorized users include students, staff, faculty, alumni, sponsored affiliates, and other individuals who have an association with the University that grants them access to University information technology resources. Some users may be granted additional authorization to access institutional data as authorized by the data owner or custodian.

Data Custodian

Representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy and applicable state and federal laws.

Information Technology Resources

Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, instructional materials. This definition is not all inclusive but rather reflects examples of University equipment, supplies and services.

Security Incident

An intentional or accidental occurrence affecting information or related technology in which there is a loss of data confidentiality or integrity, or a disruption and/or denial of availability.

Security Measures

Processes, software, and hardware used by system and network administrators to ensure the confidentiality, integrity, and availability of the information technology resources and data owned the University and its authorized users. Security measures may include reviewing files for potential or actual policy violations and investigating security-related issues.

Members of the University community are granted access to information technology resources in order to facilitate their University-related academic, research, and job activities. The Regents Policy on Academic Freedom extends to information resources that are available electronically. However, by using these resources, users agree to abide by all relevant University of Minnesota policies and procedures, as well as all current federal, state, and local laws. These include but are not limited to University policies and procedures related to harassment, plagiarism, commercial use, security, and unethical conduct, and laws prohibiting theft, copyright and licensing infringement, unlawful intrusions, and data privacy laws.

When guests are granted access to information technology resources they must abide by all relevant University of Minnesota policies, as well as all current federal, state, and local laws. These include but are not limited to University policies and procedures related to harassment, plagiarism, commercial use, security, and unethical conduct, and laws prohibiting theft, copyright and licensing infringement, unlawful intrusions, and data privacy laws.

Users are responsible for:

reviewing, understanding, and complying with all policies, procedures and laws related to access, acceptable use, and security of University information technology resources;

asking systems administrators or data custodians for clarification on access and acceptable use issues not specifically addressed in University policies, rules, standards, guidelines, and procedures; and

reporting possible policy violations to the appropriate entities listed in this document (in the Contacts and Procedures sections).

Liability for Personal Communications

Users of University information technology resources are responsible for the content of their personal communications. The University accepts no responsibility or liability for any personal or unauthorized use of its resources by users.

Privacy and Security Awareness

Users should be aware that although the University takes reasonable security measures to protect the security of its computing resources and accounts assigned to individuals, the University does not guarantee absolute security and privacy. Users should follow the appropriate security procedures listed in the Using Information Technology Resources appendix to assist in keeping systems and accounts secure.

The University assigns responsibility for protecting its resources and data to system administrators and data custodians, who treat the contents of individually assigned accounts and personal communications as private and does not examine or disclose the contents except:

as required for system maintenance including security measures;

when there exists reason to believe an individual is violating the law or University policy; and/or

as permitted by applicable policy or law.

Consequences of Violations

Access privileges to the University's information technology resources will not be denied without cause. If in the course of an investigation, it appears necessary to protect the integrity, security, or continued operation of its computers and networks or to protect itself from liability, the University may temporarily deny access to those resources. Alleged policy violations will be referred to appropriate University investigative and disciplinary units. For example, alleged violations by students may be directed to the Student Judicial Affairs office. The University may also refer suspected violations of law to appropriate law enforcement agencies. Depending on the nature and severity of the offense, policy violations may result in loss of access privileges, University disciplinary action, and/or criminal prosecution.

The University's Rights and Responsibilities

As owner of the computers and networks that comprise the University's technical infrastructure, the University owns all official administrative data that resides on its systems and networks, and is responsible for taking necessary measures to ensure the security of its systems, data, and user's accounts. The University does not seek out personal misuse. However, when it becomes aware of violations, either through routine system administration activities or from a complaint, it is the University's responsibility to investigate as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.

Individual units within the University may define additional conditions of use for resources or facilities under their control. Such additional conditions must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions.

Roles and responsibilities for specific University entities and individuals are defined in greater detail below.

Chief Information Officer

Designate individuals who have the responsibility and authority for information technology resources.

Establish and disseminate enforceable rules regarding access to and acceptable use of information technology resources.

Investigate problems and alleged violations of University information technology policies.

Refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action.

Campuses, Colleges, or Departments

Create, disseminate and enforce conditions of use that are consistent with University-wide policies for the University facilities and/or resources under their control.

Monitor the use of University resources under their control.

Investigate problems and alleged violations of University information technology policies.

Refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action. Possible policy violations should be reported to the appropriate entity as listed in the Contacts section of this document.

Data Custodians

Grant authorized users appropriate access to the data and applications for which they are stewards, working with University data security and network personnel to limit access to authorized users with a legitimate role-based need.

Review access rights of authorized users on a regular basis.

Respond to questions from users relating to appropriate use of system/network resources.

Implement and oversee processes to retain or purge information according to University records retention schedules.

Determine the criticality and sensitivity of the data and/or applications for which they are stewards; determine which University data is public and private based on University definitions, in consultation with the University's Office of Records and Information Management.

Ensure that appropriate security measures and standards are implemented and enforced for the data under their control, in a method consistent with University policies and sound business practices. The security measures implemented should be based on the criticality, sensitivity, and public or private nature of the data, and may include methodologies, change management, and operational recovery plans.

Investigate problems and alleged violations of University information technology policies.

Refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action.

System/Network Administrator

Take reasonable action to ensure the authorized use and security of data, networks, and the communications transiting the system or network.

Participate and advise as requested in developing conditions of use or authorized use procedures.

Respond to questions from users relating to appropriate use of system/network resources.

Cooperate with appropriate University departments and law enforcement officials in investigating alleged violations of policy or law.

Office of Records and Information Management

Assist data custodians in classifying information as public or private. Secure official rulings from the Office of the General Counsel on public and private information.

University Police Department

Respond to alleged violations of criminal law.

Coordinate all activities between the University and outside law enforcement agencies.

General Counsel

Provide legal advice on official rulings on public, private and confidential information.

University Office of Information Technology Security

Protect the University network, systems, and data. Coordinate with designated campus, collegiate, or unit technical and security staff to ensure the confidentiality, integrity, and availability of University systems and ensure that appropriate and timely action is taken. Determine if an on-site technical security evaluation is necessary and if any mitigation steps will be required. Coordinate with the unit technical/security staff to assure that appropriate diagnostic, protective, remedial, and other actions are taken as necessary to protect University resources. Coordinate with the appropriate University offices (compliance, legal, human resources, and student conduct) as well as external Internet Service Providers (ISPs) and law enforcement as necessary.

May 2006 - Added this sentence to policy statement: "Units, campuses that grant guest access to University information technology resources must make their guests aware of User Rights and Responsibilities."

April 2004 - Title for appendix A is now: Using Information Technology Resources Standards to more accurately reflect that it is required. Appendix A was listed as a "guideline" before formal definitions of guidelines and standards were established.

August 1998 - Revised Policy Statement, Responsibilities, Definitions and Appendix A: Guidelines for Using Information Technology Resources. Updated and reorganized related information section. Intent of the revision is to more clearly address issues related to commercial use, spamming, University ownership of data, and University liability for personal or unauthorized use. Title changed from Acceptable Use of Computers, Networking, and Information Technology to Acceptable Use of Information Technology Resources. Responsible Officer changed from Executive Vice President and Provost to Chief Information Officer.

Amended:

December 1997 - Responsible Officer changed from Senior Vice President of Academic Affairs to Executive Vice President and Provost.

Effective:

December 1996

Document Feedback

Your name

E-mail

The content of this field is kept private and will not be shown publicly.